MS sec update blocks (a)dsl/cable access !!! - GoFuckYourself.com

DutchTeenCash · 02-05-2004, 03:22 AM

This is important, esp for ppl who use dailers that are NOT IP based. We received a notification from one of Hollands leading dailer companies but it seems noone here or in germany (goodthinkx?) found out.

this is the MS update

http://www.microsoft.com/technet/tre...n/MS04-004.asp

this is the important stuff

A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)

resulting in no more daileraccess methods using user:pass@

Our partner for dailers reprogrammed everything and already offered a solution for IP based access. Check your dailercompany if they use the same method and are aware of this.

Since this is a CRITICAL update everyone will do this within a few days, XP offered it on many pc's here mondaymorning already.

If you still dont realise what this means : no more (a)dsl and cablemodem access for your sites if the dailer uses a non ip based script.

Hope i helped a bit getting the word out.

02-05-2004, 03:22 AM	#1
DutchTeenCash I like Dutch Girls Join Date: Feb 2003 Location: dutchteencash.com Posts: 21,684	MS sec update blocks (a)dsl/cable access !!! This is important, esp for ppl who use dailers that are NOT IP based. We received a notification from one of Hollands leading dailer companies but it seems noone here or in germany (goodthinkx?) found out. this is the MS update http://www.microsoft.com/technet/tre...n/MS04-004.asp this is the important stuff A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.) resulting in no more daileraccess methods using user:pass@ Our partner for dailers reprogrammed everything and already offered a solution for IP based access. Check your dailercompany if they use the same method and are aware of this. Since this is a CRITICAL update everyone will do this within a few days, XP offered it on many pc's here mondaymorning already. If you still dont realise what this means : no more (a)dsl and cablemodem access for your sites if the dailer uses a non ip based script. Hope i helped a bit getting the word out. __________________ ICQ 16 91 547 - SKYPE dutchteencash bob AT dutchteencash DOT com ... did you see our newest Sweet Natural Girl Priscilla (18)?